COMMAND
xlock
SYSTEMS AFFECTED
X11R6 xlock
PROBLEM
'bind' found following. A format bug exists in all X11R6 xlock's
handling of the display ('-d') option.
(bind@cassius ~) $ xlock -d %x%x%x%x%x
xlock: unable to open display dfbfd958402555e1ea748dfbfd958dfbfd654.
Systems that we tested that were vulnerable included OpenBSD 2.7,
FreeBSD 4.1 and Slackware 7.1.
http://www.linux-mandrake.com/en/flists.php3#security
SOLUTION
The patch is attached:
--- xlock.c Tue Aug 15 23:10:32 2000
+++ xlock-patched.c Tue Aug 15 23:03:22 2000
@@ -944,7 +944,7 @@ error(const char *buf)
#if defined( HAVE_SYSLOG_H ) && defined( USE_SYSLOG )
extern Display *dsp;
- syslog(SYSLOG_WARNING, buf);
+ syslog(SYSLOG_WARNING,"%s", buf);
if (!nolock) {
if (strstr(buf, "unable to open display") == NULL)
syslogStop(XDisplayString(dsp));
@@ -953,7 +953,7 @@ error(const char *buf)
closelog();
}
#else
- (void) fprintf(stderr, buf);
+ (void) fprintf(stderr,"%s", buf);
#endif
exit(1);
}
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/4.0/i386/xlockmore-4.17-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/xlockmore-4.17-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/xlockmore-4.17-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/xlockmore-4.17-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/xlockmore-4.17-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/xlockmore-4.17-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/xlockmore-4.17-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/xlockmore-4.17-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/xlockmore-4.17-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/xlockmore-4.17-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/xlockmore-4.17-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/xlockmore-4.17-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ecomm/i386/xlockmore-4.17-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ecomm/SRPMS/xlockmore-4.17-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferrgraf/i386/xlockmore-4.17-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferrgraf/SRPMS/xlockmore-4.17-1cl.src.rpm
On SuSE Linux xlock is setgid shadow, so all an attacker gains by
exploiting this bug is read access to /etc/shadow.... weak
passwords is another problem. Nevertheless, SuSE fixed it and the
RPMs will be available ASAP.
Fixed packages are available in xlockmore/xlockmore-gl 4.12-5 for
Debian 2.1 (slink) and xlockmore/xlockmore-gl 4.15-9 for Debian
2.2 (potato).
For Linux-Mandrake:
6.1/RPMS/xlockmore-4.17.1-2mdk.i586.rpm
6.1/SRPMS/xlockmore-4.17.1-2mdk.src.rpm
7.0/RPMS/xlockmore-4.17.1-1mdk.i586.rpm
7.0/SRPMS/xlockmore-4.17.1-1mdk.src.rpm
7.1/RPMS/xlockmore-4.17.1-1mdk.i586.rpm
7.1/SRPMS/xlockmore-4.17.1-1mdk.src.rpm
As for FreeBSD deinstall the xlockmore port/package, if you have
installed it. Solutionis one of the following:
1) Upgrade your entire ports collection and rebuild the
xlockmore port.
2) Deinstall the old package and install a new package dated
after the correction date, obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/xlockmore-4.17.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/xlockmore-4.17.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/x11/xlockmore-4.17.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/xlockmore-4.17.1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/x11/xlockmore-4.17.1.tgz
3) download a new port skeleton for the xlockmore port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.